To start, we must first define the term ransomware:
Ransomware is a specific classification of malware whose mechanism of action is described by its name. Ransomware consists of malicious applications that seek to compromise availability and integrity of data and/or the operating system as a whole until a specific condition is met (e.g. a ransom payment is made).
Earlier variants of ransomware utilized encryption mechanisms that are now considered defunct or very weak. In fact, many early variants simply attempted to prevent the victim from accessing their desktop by displaying a “locker screen”. Many of these primitive forms of ransomware could now be easily decrypted; in some cases, simply pressing the “ALT” and “TAB” keys would minimize the locker screen, and render the ransomware useless.
However, despite the release of several open source ransomware projects over the past couple years (resulting in a surge of “script kiddies” distributing their own ransomware variants that are often easily defeated or fundamentally flawed), modern day ransomware is much more sophisticated and therefore poses a greater threat.
Most modern ransomware variants fall under a specific sub-classification: crypto-ransomware
Crypto-ransomware is a sub-classification of ransomware that, upon execution, encrypts the local filesystem, rendering the victim’s files useless until a ransom payment is made to the malware developers. Specifically, crypto-ransomware targets the integrity and availability of the local filesystem of the infected device.
Different ransomware variants demand different ransom amounts; some instruct the victim to pay as little as $20 USD, while others demand ridiculous amounts (e.g. tens of thousands of dollars). However, the majority of modern day ransomware variants do share one similarity: the ransom payment currency.
The majority of ransomware variants old and new require the victim pay the demanded ransom in Bitcoin (BTC).
Bitcoin (BTC) is a digital currency that is created and held electronically. Utilizing Bitcoin allows for traders to maintain anonymity; if set up correctly, the only identifying component of BTC is the trader’s unique wallet address.
Miscreants prefer to utilize Bitcoin for this reason; to receive funds from their victims without having to worry about their identity becoming compromised.
While making a full ransom payment often will result in the ransomware author releasing a functional decryption utility to the victim, I can never justify nor would I ever recommend that anyone pay the ransom. There are many reasons for this:
- Paying the ransom supports the cybercriminals and funds their malicious activities
- There is no guarantee that a working decryption tool will be provided despite paying the ransom
- The provided decryption tool could be flawed, or the ransomware’s encryption mechanism could be flawed, causing the affected files to be corrupted and irreparable
- The attacker may have implemented a backdoor on the compromised device or other persistence mechanisms to re-infect the compromised device at a later time
Modern day ransomware generally implements strong, secure cryptographic algorithms, e.g. RSA-2048, that is virtually impossible to break without finding a flaw in the malware’s source code or compromising a backend command-and-control (C2) server central to the ransomware’s operations.
There are three (3) distribution methods that reign king when it comes to the spreading of ransomware:
- Exploit Kits
- Malicious Advertisements (malvertising)
Phishing can easily be considered the most common spread vector utilized by attackers to distribute ransomware.
Phishing is a form of social engineering that can be carried out in various ways, but in the case of ransomware distribution, the most frequent method is via e-mail.
Attackers construct e-mails that are alarmingly convincing; often e-mails that contain attachments that claim to be invoices, receipts or notices from local law enforcement. These e-mails are made to strike a sense of urgency and fear in the target, causing them to download and open the attachment (or click an embedded URL) without much thought.
Often, phishing e-mails contain attachments that are in the form of Microsoft Office documents. These documents appear harmless, but more often than not contain embedded malicious macro code, that compromise the target device upon execution. The documents themselves often contain content that tell the user that macros must be enabled in order to see the document’s true content. However, this is not true; instead, upon enabling macros—an action that requires no more than a single click of a button—the malicious code is executed, and the device is subsequently infected.
Social engineering is overwhelmingly successful, as it targets the user rather than technology. While technology often contains vulnerabilities and can be bypassed, humans are inherently fallible, and often referred to, in the information security realm, as “Layer 8”; the most vulnerable component within any organization.
Exploit kits, despite being around for a few years, are still growing in prevalence.
Exploit kits are web applications often powered by a PHP backend, that allow for the management and creation of malware distribution campaigns. These exploit kits also automate the entire process of scanning for, selecting, and ultimately exploiting any enumerated vulnerabilities.
Exploit kits utilize “landing pages” that are embedded with both client- and server-side code that enumerates the target’s browser, along with any enabled plugins. Adobe Flash, Oracle Java and Microsoft Silverlight are the most commonly exploited applications that are responsible for the majority of successfully compromised devices.
Essentially, a user loads this landing page (often in transparent fashion to the user), and the embedded code will enumerate the target’s device and determine if their browser or browser plugins suffer from any known vulnerabilities.
Note that when I say “known” vulnerabilities, I mean vulnerabilities that are configured within the exploit kit’s arsenal. Different exploit kits have access to different vulnerabilities, and while most are known to the vendor, as well as the general information security population, it is not uncommon for zero-day vulnerabilities (vulnerabilities that are known by the threat actors but unknown to the vulnerable application vendor or information security community) to be leveraged.
If a vulnerability is discovered, the exploit kit will automatically deliver the associated exploit to the target device, resulting in the quick and stealthy delivery of malware to the target device.
For the most part, by the time the user realizes that their device has been compromised, it is too late; the damage has already been done. Similar to RaaS offerings, many major exploit kit groups also offer their software to aspiring cybercriminals, asking for nothing more than a percentage of all traffic received to be redirected to their personal landing pages.
Yet another growing threat is the presence of malicious advertisements, or malvertising, encountered in-the-wild.
Many companies that are responsible for the management and delivery of advertisements on websites of varying popularity simply display the advertisements provided by the highest bidder. This allows threat actors to craft malicious advertisements that, with a small investment, will be displayed on legitimate, popular websites. These advertisements contain embedded code that will communicate with and load exploit kit landing pages in the background, allowing attackers to infect targets that are browsing otherwise legitimate, uncompromised websites.
Many big-name websites have been affected by malicious advertisement campaigns, including: AOL, The Huffington Post, eBay, Forbes, and countless others.
The low overall investment required to efficiently create and distribute ransomware attracts black hats of all skill level; in fact, several well-organized, sophisticated cybercrime groups have achieved great success through the distribution of ransomware.
A miscreant can obtain a custom ransomware variant with ease; either through an affiliate program, or if they possess the skill and ability, they can construct their own ransomware application from scratch.
The key to financial success is dependent on the malware authors’ ability to distribute their malware. Major exploit kits often offer to distribute malware for nothing other than a percentage of all traffic received. Furthermore, malware authors can invest in malicious advertisement campaigns resulting in huge volumes of traffic being directed toward their associated EK landing pages, resulting in huge profits.
Angler Exploit Kit Affiliate Raking in Over $60 Million Annually in Ransomware Payments Alone
The Cisco Talos group infiltrated the infrastructure of a major Angler EK affiliate and severely impacted their operations. This inside look at the cybercrime group’s operations revealed alarming statistical information surrounding their campaigns.
It was revealed that this Angler EK affiliate was raking in more than $60 million annually in ransomware payments alone. More information can be found at the below URL.
CryptoWall Developers Raking in Over $325 Million Annually
Throughout 2015, it has been determined that the CryptoWall cybercrime group alone generated as much (if not more) than $325 million from ransomware payments alone. More information can be found at the below URL.
While it is virtually impossible to track down every new variant of ransomware released in-the-wild with absolute certainty, utilizing various sources, we can calculate an approximate number of new ransomware variants that have been discovered during this time.
The three-month span of May through July can perhaps represent a typical quarter; throughout this three-month span, a total of seventy-five (75) new ransomware variants were discovered and reported; these variants were reported, for the most part, by either an infected user or by a security company/analyst/researcher:
- May: 20 new ransomware variants discovered
- June: 35 new ransomware variants discovered
- July: 20 new ransomware variants discovered
Throughout this three-month span, an average of twenty-five (25) new ransomware variants were discovered per month.
Most Widespread, Dominant Ransomware Families Seem to be Disappearing
Several ransomware families have made headlines throughout the years 2015 to present. CryptoWall and TeslaCrypt are two that come to mind immediately.
After the CryptoWall cybercrime group reportedly brought in approximately $325 million in ransom payments throughout 2015, they appeared to have ceased operations. Although, a 4th version of the overwhelmingly successful CryptoWall ransomware family was released, this 4th version was also the last; CryptoWall is no longer the most dominant ransomware family actively being distributed in-the-wild.
TeslaCrypt, on the other hand, ceased operations without prior warning, baffling information security analysts throughout the world. In fact, the TeslaCrypt group released a plethora of master cryptographic keys associated with a large quantity of TeslaCrypt infections, allowing infected users to decrypt their files for free.
However, despite these major ransomware families ceasing operations and disappearing from the Internet, new ransomware families have entered the spotlight and taken the crown as the most dominant ransomware families discovered in-the-wild (e.g. CryptXXX).
Most Widespread, Dominant Exploit Kit Groups Seem to be Disappearing
The Angler Exploit Kit was the most dominant, prevalent, and dangerous exploit kit found in-the-wild for a very long time. However, since the beginning of June 2016, most if not all Angler instances have suddenly vanished.
Angler isn’t the only powerhouse EK that abruptly went ghost; the Nuclear EK, another widespread EK, also disappeared around the end of April 2016. It is unknown why two of the most dominant exploit kits have disappeared from the Internet; were the authors/operators arrested? Did they simply decide to cease operations while they were ahead?
While the reasoning behind these disappearances remains unknown, malware authors simply brought their business to other cybercrime groups, and utilized other exploit kits to continue to distribute their malware (e.g. Neutrino, RIG, Sundown).
Ransomware is one of the most prevalent types of malware found in-the-wild today. This will not change. Ransomware has traditionally plagued individual users throughout its existence, but more and more has begun targeting specific entities and/or industries (e.g. healthcare).
Below are some trends that I predict will be observed throughout Q4 2016 and Q1 2017:
- Targeted attackers on specific industries / groups will increase (e.g. healthcare industry)
- Exploit kit sophistication will increase, new exploit kit groups to become dominant
- The disappearance of Angler and Nuclear is huge; however, I believe that the cybercrime groups behind either or both of these exploit kits will return, rebranded, and dominate the EK market once again.
Finally, the future evolution of ransomware that I predict will have the greatest impact: the increased distribution of self-replicating and/or self-distributing ransomware.
The inception of self-replicating ransomware is around the corner.
While it is increasingly difficult to successfully develop a self-replicating malware that affects up-to-date, modern-day operating systems, I believe attackers will take multiple approaches. Not only will they target SMB like old malware (e.g. the Conficker worm), they will develop new methods of self-replication or self-distribution that will prove effective.
While self-replication and infection of neighboring devices is a more tedious task, I believe that self-distribution may actually be a feature that future ransomware implements. An example of self-distribution: the ransomware also containing the ability to determine the compromised user’s e-mail client of choice, enumerate their address book, and compose and distribute phishing e-mails to all discovered contacts to further spread the ransomware.
 http://www.bleepingcomputer.com http://www.talosintel.com